6.9
CVE-2026-6987 - PicoClaw Web Launcher Management Plane restart command injection
A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /api/gateway/restart of the component Web Launcher Management Plane. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The project was informed of β¦
6.3
CVE-2026-6986 - Cesanta Mongoose GCM Authentication Tag tls_aes128.c mg_aes_gcm_decrypt signature verification
A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This issue affects the function mg_aes_gcm_decrypt of the file /src/tls_aes128.c of the component GCM Authentication Tag Handler. Such manipulation leads to improper verification of cryptographic signature. The attack may beβ¦
6.9
CVE-2026-6985 - Cesanta Mongoose TCP Option net_builtin.c handle_opt infinite loop
A weakness has been identified in Cesanta Mongoose up to 7.20. This vulnerability affects the function handle_opt of the file /src/net_builtin.c of the component TCP Option Handler. This manipulation of the argument optlen causes infinite loop. The attack is possible to be carried out remotely. Theβ¦
5.1
CVE-2026-6984 - AstrBotDevs AstrBot Dashboard API t2i.py create_template special elements used in a template engine
A security flaw has been discovered in AstrBotDevs AstrBot up to 4.22.1. This affects the function create_template of the file astrbot/dashboard/routes/t2i.py of the component Dashboard API. The manipulation results in improper neutralization of special elements used in a template engine. The attacβ¦
5.1
CVE-2026-6983 - pagekit download server-side request forgery
A vulnerability was identified in pagekit up to 1.0.18. Affected by this issue is some unknown functionality of the file /index.php/admin/system/update/download. The manipulation of the argument url leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit is β¦
5.3
CVE-2026-6982 - star7th ShowDoc API Page Sort Endpoint PageController.class.PHP sql injection
A vulnerability was determined in star7th ShowDoc up to 2.10.10/3.6.2/3.8.0. Affected by this vulnerability is an unknown functionality of the file server/Application/Api/Controller/PageController.class.PHP of the component API Page Sort Endpoint. Executing a manipulation of the argument pages can β¦
5.3
CVE-2026-6981 - IhateCreatingUserNames2 AiraHub2 Endpoint AiraHub.py sync_agents server-side request forgery
A vulnerability was found in IhateCreatingUserNames2 AiraHub2 up to 3e4b77fd7d48ed811ffe5b8d222068c17c76495e. Affected is the function connect_stream_endpoint/sync_agents of the file AiraHub.py of the component Endpoint. Performing a manipulation results in server-side request forgery. The attack mβ¦
6.9
CVE-2026-6980 - Divyanshu-hash GitPilot-MCP main.py repo_path command injection
A vulnerability has been found in Divyanshu-hash GitPilot-MCP up to 9ed9f153ba4158a2ad230ee4871b25130da29ffd. This impacts the function repo_path of the file main.py. Such manipulation of the argument command leads to command injection. The attack can be launched remotely. The exploit has been discβ¦
5.3
CVE-2026-6979 - devlikeapro WAHA API Request media.controller.ts server-side request forgery
A flaw has been found in devlikeapro WAHA up to 2026.3.4. This affects an unknown function of the file src/api/media.controller.ts of the component API Request Handler. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been published and mayβ¦
5.1
CVE-2026-6978 - JiZhiCMS addcache.html htmlspecialchars_decode sql injection
A vulnerability was detected in JiZhiCMS up to 2.5.6. The impacted element is the function htmlspecialchars_decode of the file /index.php/admins/Sys/addcache.html. The manipulation of the argument sqls results in sql injection. It is possible to launch the attack remotely. The exploit is now publicβ¦